Editor’s Note: The customer push toward seamless, more accessible financial services might be opening the door to digital innovation, but it can also open up more security risks. Open banking, for example, has the potential to increase credential stuffing attacks, and institutions need to consider risks like this when adopting new technologies to satisfy customer demands. Proper planning and adoption of advanced security systems can lower the risks associated with digital evolution, allowing you to stay ahead of the competition without compromising on security. Consider solutions like DDoS Mitigation and Managed Network Security when you begin your digital transformation journey.
Prevent, mitigate and detect network threats by using a trusted partner.
Ransomware attacks continue to dominate the headlines. However, there is another cyber threat that the banking industry needs to turn its attention to: The growing risk from credential stuffing attacks.
This threat has become increasingly pressing in recent years, with the FBI recently issuing a security advisory warning that credential stuffing is now a major threat facing financial organizations. While there are many drivers behind this threat vector, in this article I’ll be focusing on one in particularthe broad deployment of application programming interfaces (APIs). These have become increasingly popular in recent years to enable innovative digital banking services, but credit unions must be cognizant of the new vulnerabilities that open banking introduces.
In fact, the 2020 FBI credential stuffing advisory warned that these attacks often target APIs as these systems typically are less monitored than customer-facing login systems and are also generally less likely to mandate multi-factor authentication (MFA). To illustrate the severity of this threat, Gartner said it believes that APIs will be the most frequent online attack vector by this year.
The era of customer convenience
Before we delve into open banking security concerns, let’s first examine why APIs are so broadly deployed in credit unions today. One of the chief byproducts of digital transformation is consumers’ desire for a seamless online experience and intuitive, easy access to information. Leveraging APIs allows credit unions to deliver on these expectations and partner with various third parties to share financial data and, in so doing, provide customers with simplified access to numerous services.
One recent study from Plaid found that 73% of Americans believe using financial apps and other digital tools is the new normal, and that 82% of these respondents report better results when they use this technology. As such, we can only expect the proliferation of apps to increase in the years ahead.
Convenience can’t come at the cost of security
It’s clear that open banking has and will continue to transform the customer experience, but it’s imperative that this convenience not come at the cost of security. A 2020 report from Enterprise Strategy Group and Veracode found that nearly half of all organizations surveyed regularly and knowingly push vulnerable code into production for various reasons, including:
- To meet a deadline (54%);
- Because they believe the code is low risk (49%); and
- Because the issues were discovered too late to fix them prior to deployment (45%).
Regardless of the reason, when security is not top of mind, it makes it easier for hackers to access customer data and use it to defraud customers and financial institutions alike. In 2021, a white hat hacker was able to access 55 different financial organizations through APIs, change customer PINs and move money around. In one scenario, the code development was outsourced and the developer reused the code, meaning that hundreds of other financial institutions were vulnerable to the same attack vector.
There are numerous steps financial institutions must take at every stage from development through to deployment to mitigate API vulnerabilities. While there are too many to enumerate here, key considerations include:
- API discoveryto determine how many APIs exist in the environment;
- API inventoryto catalog all APIs, what they do and the type of information they handle; and
- API risk assessmentto determine whether any APIs are vulnerable to known risks, and also what would happen if one of these applications were attacked.
Combatting credential stuffing
As outlined, credential stuffing attacks are one of the primary ways hackers target API vulnerabilities. Therefore, it’s critical that financial institutions take steps to combat these attacks as part of addressing overall API security.
Prohibiting the use of previously exposed credentials for customer and employee accounts alike is one important step. However, this is challenging for numerous reasonsthe prevalence of password reuse, the ever-growing volume of digital services and the sheer rate at which data breaches occur, to name just a few.
So, how can financial institutions decrease the likelihood of a successful credential stuffing attack?
- Make MFA Mandatory: MFA should always be enabled whenever employees or customers log into company accounts or systems.
- Deploy Web Application Firewalls: Using WAFs can help credit unions monitor for attacks and identify if a breach is occurring.
- Hash Passwords: Protecting all stored passwords with hashing ensures that no actual login details are revealed, should a data breach occur.
- Screen for Compromised Passwords: Another best practice is to ensure users are not using compromised passwords by screening them against a database of credentials exposed in previous data breaches. For maximum effectiveness, this should be done both at new password establishment and continuously thereafter.
Open banking offers numerous opportunities to meet customers’ digital experience expectations and deliver new innovative strategies to maintain customer loyalty and competitive advantage. By being mindful of inherent API security concerns and taking steps to address vulnerabilities like credential stuffing, financial institutions can realize these benefits while protecting sensitive company and customer data.
This article was written by Mike Wilson from Credit Union Times and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to email@example.com.